Make your OpenStack Cloud

Self-Defending with VESPA!

OpenStack Summit

Paris, November 5, 2014.

Marc Lacoste Aurélien Wailly

Orange Labs

Motivation and Approach

VESPA : Principle and Architecture

A Typical Use Case

The VESPA Project

Perspectives & KeyTake Aways

Agenda

What's Wrong with IaaS Today?

THREAT proliferation

system threats network threats

cross-layer security end-to-end security

STRONG security

Perform 360° security supervision Design open security architecture

COMPLEXITY of security

management

SIMPLE security

Ease administration Reduce OPEX Increase efficiency

Diverse mechanisms

Manual configuration

nightmare

Security administration

Static management

Low reactivity

Our Approach

Lighter administration.

Increased reactivity.

Lower operational costs.

Graduated response.

Security supervision enabler.

Autonomous security management makes cloud protection simpler and stronger.

IaaS Clouds with Self-Defense Capabilities

What is VESPA?

= Virtual Environments Self-Protecting Architecture

An automated security supervision framework for IaaS and multi-DC infrastructures

APPLICATIONS

CLOUD PROVIDER

IaaS monitoring

Anti-malware.

Anti-DDoS.

End-to-end security.

CUSTOMERS

SecaaS

appliances

STRONG SECURITY

Cross-layer security: detect / respond

to overall extent of attack.

Open architecture: mitigate new threats,

integrate legacy counter-measures.

SIMPLE SECURITY

Automated security supervision:

choose in-layer, cross-layer, multi-DC.

Tuneable defense patterns: orchestrate

multiple loops for rich defense strategy.

Design principles

VESPA System Architecture

HO

Resource

Plane

Security

Plane

Agent

Plane

Orchestration

Plane

VM

Hypervisor

Physical

VO

HO

Detection Manager

DETECTION

Detection Agent

DECISION

Reaction Manager

REACTION

Reaction Agent

RESOURCES

VESPA System Architecture

HO

Resource

Plane

Security

Plane

Agent

Plane

Orchestration

Plane

VM

Hypervisor

Physical

Intra-Layer

Self-Protection

VO

HO

Detection Manager

DETECTION

Detection Agent

DECISION

Reaction Manager

REACTION

Reaction Agent

RESOURCES

VESPA System Architecture

HO

Resource

Plane

Security

Plane

Agent

Plane

Orchestration

Plane

Cross-Layer

Self-Protection

VM

Hypervisor

Physical

VO

HO

Detection Manager

DETECTION

Detection Agent

DECISION

Reaction Manager

REACTION

Reaction Agent

RESOURCES

Dynamic VM quarantine :

An instantiation :

Use Case: Risk-Aware Flexible VM Confinement

Three levels of self-protection:

Extension to other OpenStack services (e.g., Nova, Neutron, Ceph/Glance,

KeyStone) using dedicated agents for mediation.

A VESPA Implementation

Research results :

Framework [ICAC’12].

A. Wailly, M. Lacoste, H. Debar. “VESPA: Multi-Layered Self-Protection for Cloud Resources”.

ACM International Conference on Autonomic Computing (ICAC), San José, USA, September 2012.

Extensions:

Network management (SDN approach).

Mobile cloud SLAs: Orange MC2 [UCC’13].

VMM self-protection: KungFuVisor [EURODW’12], self-stabilization [DSS’14].

Keynotes [SSS’11], panels [IM’11, NOMS’14], tutorials [ICAR’13, MOBILECLOUD’14].

Code available at : https://github.com/Orange-OpenSource/vespa-core

The VESPA Project

RESULTS

Framework: supervision of single cloud and multi-DC security.

Available in open source.

Different applications demonstrating

viability of self-defending cloud concept.

So far CURRENT VESPA FUNCTIONALITIES

VESPA = core + security plug-ins.

Supported In progress

Anti-virus Integration with Heat + Horizon

Hypervisor control Network zones

Firewall vSwitch management (SDN)

Log analysis

Perspectives

Next steps

Hardened code base,

push in more features: Deployment of components.

Administration console.

IDS plug-in.

Secure communications.

Perimetric defense…

More advanced functionalities: Security policy / SLA management.

Hypervisor defense.

Integration within OpenStack: Blueprint submission.

Extension to Nova? Neutron? Others?

Standalone OpenStack project?

Going multi-cloud

For distributed clouds

For edge clouds

For convergence with

SDN/NFV security

Key Take Aways

= a framework for supervising security of IaaS infrastructures.

Fills a gap among existing security solutions.

brings cloud security supervision intelligence :

Simple security: rich levels of security automation.

Strong security: multi-level protection + a fully open design to integrate

existing security solutions.

may come in several deployment modes :

VESPA-ready IaaS to protect infrastructure and/or customer VMs.

Security appliance.

SaaS (security supervision enabler).

Taking it to the next level :

Compatibility with architecture and mechanisms.

Looking for feedback from community to integrate new releases!

Thank you!

Contacts:

marc.lacoste@orange.com

aurelien.wailly@orange.com